[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#704829: unblock: asterisk/1:1.8.13.1~dfsg-2

On Mon, Apr 08, 2013 at 10:18:14PM +0100, Adam D. Barratt wrote:
> On Mon, 2013-04-08 at 22:56 +0200, Tzafrir Cohen wrote:
> > On Mon, Apr 08, 2013 at 09:13:43PM +0100, Adam D. Barratt wrote:
> > > On Sat, 2013-04-06 at 16:39 +0300, Tzafrir Cohen wrote:
> > > > Please unblock package asterisk. It includes a number of fixes, mostly
> > > > two series of security fixes.
> [...]
> > > > +  * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
> > > > +    - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
> > > > +      allocations when using TCP.
> > > > +      The following two fixes were also pulled in order to easily apply it:
> > > > +      - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
> > > 
> > > That patch is more than 30% of the diff on its own. :-(
> > > 
> > > How difficult would it have been to backport the fix to the code we have
> > > in wheezy?
> > 
> > Looking into that.
> 
> Thanks. If the answer is that it's non-trivial then it may be worth
> considering whether we should let the package spend a few more days in
> unstable (depending on how urgently the security team believe we need
> the fixes in wheezy).

Done. It turned out to be much smaller than the original one. At first
glance there isn't any other code path.

http://anonscm.debian.org/viewvc/pkg-voip/asterisk/trunk/debian/patches/AST-2012-014?revision=10137&view=markup

All other requested changed are commited to SVN. I'll rebuild -3
morning.

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend
Reply to: